fastify
npm9 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting fastifypage 1 of 1
- CVE-2018-3711HIGHCVSS 7.5EG 7.5✓ Fixed in 0.38.02018-06-07
Fastify node module before 0.38.0 is vulnerable to a denial-of-service attack by sending a request with "Content-Type: application/json" and a very large payload.
- CVE-2020-8192MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.15.12020-07-30
A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion (when the allErrors option is used) with specially crafted schemas.
- CVE-2022-39288HIGHCVSS 7.5EG 7.5✓ Fixed in 4.8.12022-10-10
fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause…
- CVE-2022-41919MEDIUMCVSS 4.2EG 4.2✓ Fixed in 3.29.42022-11-22
Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s essence as "application/x-…
- CVE-2025-32442HIGHCVSS 7.5EG 7.5✓ Fixed in 5.3.22025-04-18
Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validat…
- CVE-2026-25223HIGHCVSS 7.5EG 7.5✓ Fixed in 5.7.22026-02-03
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By a…
- CVE-2026-25224LOWCVSS 3.7EG 3.7✓ Fixed in 5.7.32026-02-03
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that ret…
- CVE-2026-33806HIGHCVSS 7.5EG 7.5✓ Fixed in 5.8.52026-04-15
Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation i…
- CVE-2026-3635MEDIUMCVSS 6.1EG 6.1✓ Fixed in 5.8.32026-03-23
Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto an…
Check whether fastify is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for fastify CVEs against the assets you own.
Start Free Scan →